Performing a coordinated refresh

Coordinated refresh may be performed on a single instance of ICSF, on a single-system sysplex, or on a multi-system sysplex. The coordinated refresh operation is initiated from a single ICSF instance and then carried out across all other sysplex members sharing the same active KDS (CKDS or PKDS only). This results in the in-storage copy of the KDS being updated for all ICSF instances in the sysplex that share the same active KDS as the initiator. This function is not available for the TKDS.

To perform a coordinated CKDS refresh, all members of the sysplex (including sysplex members that are not configured with the same active CKDS) must be at the ICSF FMID HCR7790 level or later. In addition, no system sharing the CKDS can be a CCF system (such as a z900 system).

To perform a coordinated PKDS refresh, all members of the sysplex (including sysplex members that are not configured with the same active PKDS) must be at the ICSF FMID HCR77A0 level or later. In addition, no system sharing the PKDS can be a CCF system (such as a z900 system).

Before performing a coordinated refresh, you should disable dynamic KDS updates on all sysplex members for the KDS type you are processing. For information on disabling dynamic CKDS updates, See Steps for disallowing dynamic CKDS updates during CKDS administration updates in Managing Cryptographic Keys Using the Key Generator Utility Program. For information on disabling PKA callable services, Steps for enabling and disabling PKA callable services and Dynamic CKDS/PKDS Access in Managing CCA Master Keys.

If you are performing a coordinated refresh to a new KDS, you must ensure that the new target KDS of the refresh contains data set attributes that are consistent with the currently active KDS. This data set must be allocated, must not be empty, and must be enciphered with the current master key or keys. You will optionally be able to use the archive option for renaming the current KDS to an archive name and the new KDS to the active KDS name. The archive data set name must not be allocated or exist on the system prior to performing the coordinated refresh.

To perform a coordinated refresh:

Enter option 2, KDS MANAGEMENT, on the ICSF Primary Menu panel to access the Master key set or change, KDS processing panel.
The CSFMKM10 — Key Data Set Management panel is displayed.
To perform a coordinated refresh of the CKDS, select option 1, CKDS MK MANAGEMENT to perform Cryptographic Key Data Set (CKDS) functions including master key management. The CSFMKM20 — CKDS Management panel appears. Then select option 4, COORDINATED CKDS REFRESH CKDS.

To perform a coordinated refresh of the CKDS, select option 2, PKDS MK MANAGEMENT to perform Public Key Data Set (PKDS) functions including master key management. The CSFMKM30 — PKDS Management panel appears. Then selection option 4 for Coordinated PKDS Refresh.
The Coordinated KDS Refresh panel is displayed. In this example a coordinated CKDS refresh is being performed.
```
 CSFCRC20 ------------  ICSF – Coordinated KDS Refresh --------------------
COMMAND ===>
To perform a coordinated KDS refresh to a new KDS, enter the KDS names below 
and optionally select the rename option. To perform a coordinated KDS refresh 
of the active KDS, simply press enter without entering anything on this panel.                                                                   
                                                                              
    KDS Type ===> CKDS                                                                                                                                      
  Active KDS ===> 'PLEX.TEST.CKDS'                                      
                                                                              
     New KDS ===>                                                             
                                                                              
          Rename Active to Archived and New to Active (Y/N) ===> N            
                                                                              
          Archived KDS ===>                                                                                                                            
                                                                            
Press ENTER to perform a coordinated KDS refresh.                             
Press END to exit to the previous menu.                                       
```
The active KDS name is displayed in the Active KDS field for the selected KDS type. You can use this panel to refresh to a new KDS or to refresh the active KDS.
- To refresh to a new KDS:
  1. Enter the name of the new KDS in the New KDS field. This data set must be allocated, not empty, and enciphered under the current master key or keys.
  2. Optionally the rename option may be used to have the current KDS renamed to an archive name and the new KDS renamed to the active KDS name. The rename option simplifies KDS administration by removing the need to update the ICSF Options Data Set with the name of the new data set after the coordinated KDS refresh to a new KDS completes.
    - If you would like the have the new KDS renamed to match the name of the current active KDS:
      1. Type Y in the Rename Active to Archived and the New to Active ( Y / N ) field.
      2. Enter the name under which the currently active KDS will be archived in the Archived KDS field. The archive KDS name must not be allocated and must not exist on the system prior to performing the coordinated refresh to a new data set.
    - If you do not want to have the new KDS renamed to match the name of the current active KDS, type N in the Rename Active to Archived and the New to Active ( Y / N ) field. Remember to change the name of the KDS in the Installation Options Data Set as described in the z/OS Cryptographic Services ICSF System Programmer's Guide. The KDS name must be changed in each cluster member's Installation Options Data Set after the coordinated KDS refresh function completes successfully. If the Installation Options Data Set is updated with a new KDS name and the coordinated KDS refresh function fails, ICSF might be configured with an invalid KDS the next time it is restarted.
  3. Press ENTER to begin the coordinated refresh.
- To refresh the active KDS, no input is required on the panel and will be ignored if entered.
  1. Verify that the Active KDS field shows the name of the active KDS. ICSF should have filled in this field automatically.
  2. Press ENTER to begin the coordinated refresh.
A confirmation panel will be displayed, prompting you to verify that you want to continue with the coordinated refresh. Verify that the information on this confirmation panel is correct. If it is, type Y in the confirmation field provided and press ENTER. The Coordinated KDS Refresh will then start processing.
Verify the dialog results, and address any indicated failures or unexpected results.